Please publish the list of the official release PGP keys

[vlsi]

The idea is project page should provide clear steps to verify if the release is official.
I'm afraid I've no standard way of doing that, however it would be nice if you could mention the official PGP key ids in the Download section.

Moving from 4.12 to 5.5.1 gives the following:

> Checksum/PGP violations detected on resolving configuration :src:jorphan:testCompileClasspath
    No trusted PGP keys are configured for group org.apiguardian:
      org.apiguardian:apiguardian-api:1.1.0 (pgp=[85911f425ec61b51], sha512=[computation skipped])
    No trusted PGP keys are configured for group org.junit.jupiter:
      org.junit.jupiter:junit-jupiter-api:5.5.1 (pgp=[85911f425ec61b51], sha512=[computation skipped])
    No trusted PGP keys are configured for group org.junit.platform:
      org.junit.platform:junit-platform-commons:1.5.1 (pgp=[85911f425ec61b51], sha512=[computation skipped])
    No trusted PGP keys are configured for group org.opentest4j:
      org.opentest4j:opentest4j:1.2.0 (pgp=[85911f425ec61b51], sha512=[computation skipped])

See also spring-projects/spring-framework#23434 (comment)

See also jacoco/jacoco#937

See also https://gitlab.ow2.org/asm/asm/issues/317884

Sample implementation for Apache JMeter: https://jmeter.apache.org/download_jmeter.cgi As you see, it refers KEYS file and links to the page with gpg commands to verify the signatures.

PS. I don't really expect that everybody would start verifying their downloads, however making the official key ID publicly available would help for automated verifications as well.

PS. Thanks for JUnit!

[marcphilipp]

The key is mine and published here:
https://keyserver.2ndquadrant.com/pks/lookup?op=get&search=0x85911F425EC61B51

We can certainly mention it in the README and link to a KEYS.md file.

@vlsi Would you mind drafting one in a PR?

[vlsi]

The key is mine and published here:

Thanks, I can receive the key, and signature verification passes.

The issue is that JUnit 5 project does not provide steps to verify the integrity of the downloaded junit.jar files. And it does not clarify which keys are supposed to be the official ones.

Would you mind drafting one in a PR?

Frankly speaking, I'm a bit puzzled what JUnit5 treats as the "official release" page.

For instance:

1. GitHub releases seem to refer to source releases, however they are not signed
2. https://junit.org/junit5/ does not have "download" / "install" sections. I see there's a link to search.maven.org in "Current Versions", however it seems to refer to a subset of junit artifacts.
3. User guide has dependency metadata, however it does not seem to be completely related

[marcphilipp]

Frankly speaking, I'm a bit puzzled what JUnit5 treats as the "official release" page.

Can you please elaborate on what you're looking for? Except for the BOM the links on junit.org include all artifacts. And the sample project show how to use it from different build tools. I don't see why we should attach binaries to GitHub releases. Who would use that?

[vlsi]

Frankly speaking, I'm a bit puzzled what JUnit5 treats as the "official release" page.

Let me please try with a couple of examples?

https://www.jacoco.org/download.html
https://bytebuddy.net/#/ (see "Getting Byte Buddy")
https://asm.ow2.io/ (see Download)
http://calcite.apache.org/downloads/
http://cassandra.apache.org/download/

The above are the pages that clarify what should be treated as the official release.
If you consider that JUnit5 release consists of "Maven Central artifacts", that is fine.
However, it would be great if you could highlight that on the main website, and add a note that "the official release is signed with the following PGP keys".

I don't see why we should attach binaries to GitHub releases. Who would use that?

That is interesting question, however there are people that still download a bunch of jar files and attach them to their IDEs.
Note: this issue has nothing to do with binaries and/or with use GitHub releases at all.
PGP signing can (should) be performed for both source and binary releases.
Frankly speaking, I don't really expect that I would download JUnit5 releases from GitHub releases page.

The key ask here is to publish the set of release keys on the https://junit.org/junit5/ webpage (which seems to be the official web page for junit5)

And the sample project show how to use it from different build tools

The list of "the official keys" is typically processed by humans.

For instance, what if I add a junit dependency to my project?
How could I know if the jar was produced by true Marc rather than a fake Marc?
Remember that everyone can generate a PGP signature that says "this is signed by Marc Phillip".

However, if someone would generate a fake junit.jar and publish it, then they would have to hack junit.org website in order to add "fake" key to the /KEYS file.

So if download junit.jar, and it happens to pass PGP verification for a key that is listed in junit.org/KEYS, then it means the file was indeed published by somebody who controls the offical junit page.

Maven can verify PGP signatures for dependencies via https://github.com/s4u/pgpverify-maven-plugin
Gradle can verify PGP signatures for dependencies via https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin

[vlsi]

One more datapoint:

https://docs.bazel.build/versions/master/install-compile-source.html#bootstrap-bazel
We recommend to also verify the signature made by our release key 48457EE0.

https://github.com/bazelbuild/bazel/releases
Security: All our binaries are signed with our
public key 48457EE0.

[marcphilipp]

I added a KEYS file and linked to it from junit.org/junit5.